|
|
<!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="theme-color" content="#375EAB">
<title>x509 - The Go Programming Language</title>
<link type="text/css" rel="stylesheet" href="../../../lib/godoc/style.css">
<link rel="stylesheet" href="../../../lib/godoc/jquery.treeview.css"><script type="text/javascript">window.initFuncs = [];</script></head><body>
<div id='lowframe' style="position: fixed; bottom: 0; left: 0; height: 0; width: 100%; border-top: thin solid grey; background-color: white; overflow: auto;">...</div><!-- #lowframe -->
<div id="topbar" class="wide"><div class="container"><div class="top-heading" id="heading-wide"><a href="http://localhost:6060/">The Go Programming Language</a></div><div class="top-heading" id="heading-narrow"><a href="http://localhost:6060/">Go</a></div><a href="index.html#" id="menu-button"><span id="menu-button-arrow">▽</span></a><form method="GET" action="http://localhost:6060/search"><div id="menu"><a href="http://localhost:6060/doc/">Documents</a><a href="http://localhost:6060/pkg/">Packages</a><a href="http://localhost:6060/project/">The Project</a><a href="http://localhost:6060/help/">Help</a><a href="http://localhost:6060/blog/">Blog</a>
<input type="text" id="search" name="q" class="inactive" value="Search" placeholder="Search"></div></form>
</div></div>
<div id="page" class="wide"><div class="container">
<h1>Package x509</h1>
<div id="nav"></div>
<!--
Copyright 2009 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.--><!--
Note: Static (i.e., not template-generated) href and id attributes start with "pkg-" to make it impossible for them to conflict with generated attributes (some of which correspond to Go identifiers).-->
<script type='text/javascript'> document.ANALYSIS_DATA = null; document.CALLGRAPH = null; </script>
<div id="short-nav"> <dl> <dd><code>import "crypto/x509"</code></dd> </dl> <dl> <dd><a href="index.html#pkg-overview" class="overviewLink">Overview</a></dd> <dd><a href="index.html#pkg-index" class="indexLink">Index</a></dd> <dd><a href="index.html#pkg-examples" class="examplesLink">Examples</a></dd> <dd><a href="index.html#pkg-subdirectories">Subdirectories</a></dd> </dl> </div> <!-- The package's Name is printed as title by the top-level template --> <div id="pkg-overview" class="toggleVisible"> <div class="collapsed"> <h2 class="toggleButton" title="Click to show Overview section">Overview ▹</h2> </div> <div class="expanded"> <h2 class="toggleButton" title="Click to hide Overview section">Overview ▾</h2> <p>Package x509 parses X.509-encoded keys and certificates.</p>
</div> </div>
<div id="pkg-index" class="toggleVisible"> <div class="collapsed"> <h2 class="toggleButton" title="Click to show Index section">Index ▹</h2> </div> <div class="expanded"> <h2 class="toggleButton" title="Click to hide Index section">Index ▾</h2>
<!-- Table of contents for API; must be named manual-nav to turn off auto nav. --> <div id="manual-nav"> <dl> <dd><a href="index.html#pkg-variables">Variables</a></dd> <dd><a href="index.html#CreateCertificate">func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv interface{}) (cert []byte, err error)</a></dd> <dd><a href="index.html#CreateCertificateRequest">func CreateCertificateRequest(rand io.Reader, template *CertificateRequest, priv interface{}) (csr []byte, err error)</a></dd> <dd><a href="index.html#DecryptPEMBlock">func DecryptPEMBlock(b *pem.Block, password []byte) ([]byte, error)</a></dd> <dd><a href="index.html#EncryptPEMBlock">func EncryptPEMBlock(rand io.Reader, blockType string, data, password []byte, alg PEMCipher) (*pem.Block, error)</a></dd> <dd><a href="index.html#IsEncryptedPEMBlock">func IsEncryptedPEMBlock(b *pem.Block) bool</a></dd> <dd><a href="index.html#MarshalECPrivateKey">func MarshalECPrivateKey(key *ecdsa.PrivateKey) ([]byte, error)</a></dd> <dd><a href="index.html#MarshalPKCS1PrivateKey">func MarshalPKCS1PrivateKey(key *rsa.PrivateKey) []byte</a></dd> <dd><a href="index.html#MarshalPKIXPublicKey">func MarshalPKIXPublicKey(pub interface{}) ([]byte, error)</a></dd> <dd><a href="index.html#ParseCRL">func ParseCRL(crlBytes []byte) (certList *pkix.CertificateList, err error)</a></dd> <dd><a href="index.html#ParseCertificates">func ParseCertificates(asn1Data []byte) ([]*Certificate, error)</a></dd> <dd><a href="index.html#ParseDERCRL">func ParseDERCRL(derBytes []byte) (certList *pkix.CertificateList, err error)</a></dd> <dd><a href="index.html#ParseECPrivateKey">func ParseECPrivateKey(der []byte) (key *ecdsa.PrivateKey, err error)</a></dd> <dd><a href="index.html#ParsePKCS1PrivateKey">func ParsePKCS1PrivateKey(der []byte) (key *rsa.PrivateKey, err error)</a></dd> <dd><a href="index.html#ParsePKCS8PrivateKey">func ParsePKCS8PrivateKey(der []byte) (key interface{}, err error)</a></dd> <dd><a href="index.html#ParsePKIXPublicKey">func ParsePKIXPublicKey(derBytes []byte) (pub interface{}, err error)</a></dd> <dd><a href="index.html#CertPool">type CertPool</a></dd> <dd> <a href="index.html#NewCertPool">func NewCertPool() *CertPool</a></dd> <dd> <a href="index.html#CertPool.AddCert">func (s *CertPool) AddCert(cert *Certificate)</a></dd> <dd> <a href="index.html#CertPool.AppendCertsFromPEM">func (s *CertPool) AppendCertsFromPEM(pemCerts []byte) (ok bool)</a></dd> <dd> <a href="index.html#CertPool.Subjects">func (s *CertPool) Subjects() (res [][]byte)</a></dd> <dd><a href="index.html#Certificate">type Certificate</a></dd> <dd> <a href="index.html#ParseCertificate">func ParseCertificate(asn1Data []byte) (*Certificate, error)</a></dd> <dd> <a href="index.html#Certificate.CheckCRLSignature">func (c *Certificate) CheckCRLSignature(crl *pkix.CertificateList) (err error)</a></dd> <dd> <a href="index.html#Certificate.CheckSignature">func (c *Certificate) CheckSignature(algo SignatureAlgorithm, signed, signature []byte) (err error)</a></dd> <dd> <a href="index.html#Certificate.CheckSignatureFrom">func (c *Certificate) CheckSignatureFrom(parent *Certificate) (err error)</a></dd> <dd> <a href="index.html#Certificate.CreateCRL">func (c *Certificate) CreateCRL(rand io.Reader, priv interface{}, revokedCerts []pkix.RevokedCertificate, now, expiry time.Time) (crlBytes []byte, err error)</a></dd> <dd> <a href="index.html#Certificate.Equal">func (c *Certificate) Equal(other *Certificate) bool</a></dd> <dd> <a href="index.html#Certificate.Verify">func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error)</a></dd> <dd> <a href="index.html#Certificate.VerifyHostname">func (c *Certificate) VerifyHostname(h string) error</a></dd> <dd><a href="index.html#CertificateInvalidError">type CertificateInvalidError</a></dd> <dd> <a href="index.html#CertificateInvalidError.Error">func (e CertificateInvalidError) Error() string</a></dd> <dd><a href="index.html#CertificateRequest">type CertificateRequest</a></dd> <dd> <a href="index.html#ParseCertificateRequest">func ParseCertificateRequest(asn1Data []byte) (*CertificateRequest, error)</a></dd> <dd> <a href="index.html#CertificateRequest.CheckSignature">func (c *CertificateRequest) CheckSignature() (err error)</a></dd> <dd><a href="index.html#ConstraintViolationError">type ConstraintViolationError</a></dd> <dd> <a href="index.html#ConstraintViolationError.Error">func (ConstraintViolationError) Error() string</a></dd> <dd><a href="index.html#ExtKeyUsage">type ExtKeyUsage</a></dd> <dd><a href="index.html#HostnameError">type HostnameError</a></dd> <dd> <a href="index.html#HostnameError.Error">func (h HostnameError) Error() string</a></dd> <dd><a href="index.html#InsecureAlgorithmError">type InsecureAlgorithmError</a></dd> <dd> <a href="index.html#InsecureAlgorithmError.Error">func (e InsecureAlgorithmError) Error() string</a></dd> <dd><a href="index.html#InvalidReason">type InvalidReason</a></dd> <dd><a href="index.html#KeyUsage">type KeyUsage</a></dd> <dd><a href="index.html#PEMCipher">type PEMCipher</a></dd> <dd><a href="index.html#PublicKeyAlgorithm">type PublicKeyAlgorithm</a></dd> <dd><a href="index.html#SignatureAlgorithm">type SignatureAlgorithm</a></dd> <dd> <a href="index.html#SignatureAlgorithm.String">func (algo SignatureAlgorithm) String() string</a></dd> <dd><a href="index.html#SystemRootsError">type SystemRootsError</a></dd> <dd> <a href="index.html#SystemRootsError.Error">func (SystemRootsError) Error() string</a></dd> <dd><a href="index.html#UnhandledCriticalExtension">type UnhandledCriticalExtension</a></dd> <dd> <a href="index.html#UnhandledCriticalExtension.Error">func (h UnhandledCriticalExtension) Error() string</a></dd> <dd><a href="index.html#UnknownAuthorityError">type UnknownAuthorityError</a></dd> <dd> <a href="index.html#UnknownAuthorityError.Error">func (e UnknownAuthorityError) Error() string</a></dd> <dd><a href="index.html#VerifyOptions">type VerifyOptions</a></dd> </dl> </div><!-- #manual-nav -->
<div id="pkg-examples"> <h4>Examples</h4> <dl> <dd><a class="exampleLink" href="index.html#example_Certificate_Verify">Certificate.Verify</a></dd> </dl> </div>
<h4>Package files</h4> <p> <span style="font-size:90%"> <a href="http://localhost:6060/src/crypto/x509/cert_pool.go">cert_pool.go</a> <a href="http://localhost:6060/src/crypto/x509/pem_decrypt.go">pem_decrypt.go</a> <a href="http://localhost:6060/src/crypto/x509/pkcs1.go">pkcs1.go</a> <a href="http://localhost:6060/src/crypto/x509/pkcs8.go">pkcs8.go</a> <a href="http://localhost:6060/src/crypto/x509/root.go">root.go</a> <a href="http://localhost:6060/src/crypto/x509/root_linux.go">root_linux.go</a> <a href="http://localhost:6060/src/crypto/x509/root_unix.go">root_unix.go</a> <a href="http://localhost:6060/src/crypto/x509/sec1.go">sec1.go</a> <a href="http://localhost:6060/src/crypto/x509/verify.go">verify.go</a> <a href="http://localhost:6060/src/crypto/x509/x509.go">x509.go</a> </span> </p> </div><!-- .expanded --> </div><!-- #pkg-index -->
<div id="pkg-callgraph" class="toggle" style="display: none"> <div class="collapsed"> <h2 class="toggleButton" title="Click to show Internal Call Graph section">Internal call graph ▹</h2> </div> <!-- .expanded --> <div class="expanded"> <h2 class="toggleButton" title="Click to hide Internal Call Graph section">Internal call graph ▾</h2> <p> In the call graph viewer below, each node is a function belonging to this package and its children are the functions it calls—perhaps dynamically. </p> <p> The root nodes are the entry points of the package: functions that may be called from outside the package. There may be non-exported or anonymous functions among them if they are called dynamically from another package. </p> <p> Click a node to visit that function's source code. From there you can visit its callers by clicking its declaring <code>func</code> token. </p> <p> Functions may be omitted if they were determined to be unreachable in the particular programs or tests that were analyzed. </p> <!-- Zero means show all package entry points. --> <ul style="margin-left: 0.5in" id="callgraph-0" class="treeview"></ul> </div> </div> <!-- #pkg-callgraph -->
<h2 id="pkg-variables">Variables</h2> <pre>var <span id="ErrUnsupportedAlgorithm">ErrUnsupportedAlgorithm</span> = <a href="../../errors/index.html">errors</a>.<a href="../../errors/index.html#New">New</a>("x509: cannot verify signature: algorithm unimplemented")</pre> <p>ErrUnsupportedAlgorithm results from attempting to perform an operation thatinvolves algorithms that are not currently implemented.</p>
<pre>var <span id="IncorrectPasswordError">IncorrectPasswordError</span> = <a href="../../errors/index.html">errors</a>.<a href="../../errors/index.html#New">New</a>("x509: decryption password incorrect")</pre> <p>IncorrectPasswordError is returned when an incorrect password is detected.</p>
<h2 id="CreateCertificate">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=49450:49567#L1558">CreateCertificate</a></h2> <pre>func CreateCertificate(rand <a href="../../io/index.html">io</a>.<a href="../../io/index.html#Reader">Reader</a>, template, parent *<a href="index.html#Certificate">Certificate</a>, pub, priv interface{}) (cert []<a href="../../builtin/index.html#byte">byte</a>, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>CreateCertificate creates a new certificate based on a template. Thefollowing members of template are used: SerialNumber, Subject, NotBefore,NotAfter, KeyUsage, ExtKeyUsage, UnknownExtKeyUsage, BasicConstraintsValid,IsCA, MaxPathLen, SubjectKeyId, DNSNames, PermittedDNSDomainsCritical,PermittedDNSDomains, SignatureAlgorithm.</p><p>The certificate is signed by parent. If parent is equal to template then thecertificate is self-signed. The parameter pub is the public key of thesignee and priv is the private key of the signer.</p><p>The returned slice is the certificate in DER encoding.</p><p>All keys types that are implemented via crypto.Signer are supported (Thisincludes *rsa.PublicKey and *ecdsa.PublicKey.)</p>
<h2 id="CreateCertificateRequest">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=58474:58591#L1849">CreateCertificateRequest</a></h2> <pre>func CreateCertificateRequest(rand <a href="../../io/index.html">io</a>.<a href="../../io/index.html#Reader">Reader</a>, template *<a href="index.html#CertificateRequest">CertificateRequest</a>, priv interface{}) (csr []<a href="../../builtin/index.html#byte">byte</a>, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>CreateCertificateRequest creates a new certificate based on a template. Thefollowing members of template are used: Subject, Attributes,SignatureAlgorithm, Extensions, DNSNames, EmailAddresses, and IPAddresses.The private key is the private key of the signer.</p><p>The returned slice is the certificate request in DER encoding.</p><p>All keys types that are implemented via crypto.Signer are supported (Thisincludes *rsa.PublicKey and *ecdsa.PublicKey.)</p>
<h2 id="DecryptPEMBlock">func <a href="http://localhost:6060/src/crypto/x509/pem_decrypt.go?s=3144:3211#L105">DecryptPEMBlock</a></h2> <pre>func DecryptPEMBlock(b *<a href="../../encoding/pem/index.html">pem</a>.<a href="../../encoding/pem/index.html#Block">Block</a>, password []<a href="../../builtin/index.html#byte">byte</a>) ([]<a href="../../builtin/index.html#byte">byte</a>, <a href="../../builtin/index.html#error">error</a>)</pre> <p>DecryptPEMBlock takes a password encrypted PEM block and the password used toencrypt it and returns a slice of decrypted DER encoded bytes. It inspectsthe DEK-Info header to determine the algorithm used for decryption. If noDEK-Info header is present, an error is returned. If an incorrect passwordis detected an IncorrectPasswordError is returned. Because of deficienciesin the encrypted-PEM format, it's not always possible to detect an incorrectpassword. In these cases no error will be returned but the decrypted DERbytes will be random noise.</p>
<h2 id="EncryptPEMBlock">func <a href="http://localhost:6060/src/crypto/x509/pem_decrypt.go?s=5073:5185#L173">EncryptPEMBlock</a></h2> <pre>func EncryptPEMBlock(rand <a href="../../io/index.html">io</a>.<a href="../../io/index.html#Reader">Reader</a>, blockType <a href="../../builtin/index.html#string">string</a>, data, password []<a href="../../builtin/index.html#byte">byte</a>, alg <a href="index.html#PEMCipher">PEMCipher</a>) (*<a href="../../encoding/pem/index.html">pem</a>.<a href="../../encoding/pem/index.html#Block">Block</a>, <a href="../../builtin/index.html#error">error</a>)</pre> <p>EncryptPEMBlock returns a PEM block of the specified type holding thegiven DER-encoded data encrypted with the specified algorithm andpassword.</p>
<h2 id="IsEncryptedPEMBlock">func <a href="http://localhost:6060/src/crypto/x509/pem_decrypt.go?s=2315:2358#L89">IsEncryptedPEMBlock</a></h2> <pre>func IsEncryptedPEMBlock(b *<a href="../../encoding/pem/index.html">pem</a>.<a href="../../encoding/pem/index.html#Block">Block</a>) <a href="../../builtin/index.html#bool">bool</a></pre> <p>IsEncryptedPEMBlock returns if the PEM block is password encrypted.</p>
<h2 id="MarshalECPrivateKey">func <a href="http://localhost:6060/src/crypto/x509/sec1.go?s=1008:1071#L27">MarshalECPrivateKey</a></h2> <pre>func MarshalECPrivateKey(key *<a href="../ecdsa/index.html">ecdsa</a>.<a href="../ecdsa/index.html#PrivateKey">PrivateKey</a>) ([]<a href="../../builtin/index.html#byte">byte</a>, <a href="../../builtin/index.html#error">error</a>)</pre> <p>MarshalECPrivateKey marshals an EC private key into ASN.1, DER format.</p>
<h2 id="MarshalPKCS1PrivateKey">func <a href="http://localhost:6060/src/crypto/x509/pkcs1.go?s=2109:2164#L77">MarshalPKCS1PrivateKey</a></h2> <pre>func MarshalPKCS1PrivateKey(key *<a href="../rsa/index.html">rsa</a>.<a href="../rsa/index.html#PrivateKey">PrivateKey</a>) []<a href="../../builtin/index.html#byte">byte</a></pre> <p>MarshalPKCS1PrivateKey converts a private key to ASN.1 DER encoded form.</p>
<h2 id="MarshalPKIXPublicKey">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=2581:2639#L81">MarshalPKIXPublicKey</a></h2> <pre>func MarshalPKIXPublicKey(pub interface{}) ([]<a href="../../builtin/index.html#byte">byte</a>, <a href="../../builtin/index.html#error">error</a>)</pre> <p>MarshalPKIXPublicKey serialises a public key to DER-encoded PKIX format.</p>
<h2 id="ParseCRL">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=51681:51755#L1641">ParseCRL</a></h2> <pre>func ParseCRL(crlBytes []<a href="../../builtin/index.html#byte">byte</a>) (certList *<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#CertificateList">CertificateList</a>, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParseCRL parses a CRL from the given bytes. It's often the case that PEMencoded CRLs will appear where they should be DER encoded, so this functionwill transparently handle PEM encoding as long as there isn't any leadinggarbage.</p>
<h2 id="ParseCertificates">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=38729:38792#L1190">ParseCertificates</a></h2> <pre>func ParseCertificates(asn1Data []<a href="../../builtin/index.html#byte">byte</a>) ([]*<a href="index.html#Certificate">Certificate</a>, <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParseCertificates parses one or more certificates from the given ASN.1 DERdata. The certificates must be concatenated with no intermediate padding.</p>
<h2 id="ParseDERCRL">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=52012:52089#L1652">ParseDERCRL</a></h2> <pre>func ParseDERCRL(derBytes []<a href="../../builtin/index.html#byte">byte</a>) (certList *<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#CertificateList">CertificateList</a>, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParseDERCRL parses a DER encoded CRL from the given bytes.</p>
<h2 id="ParseECPrivateKey">func <a href="http://localhost:6060/src/crypto/x509/sec1.go?s=823:892#L22">ParseECPrivateKey</a></h2> <pre>func ParseECPrivateKey(der []<a href="../../builtin/index.html#byte">byte</a>) (key *<a href="../ecdsa/index.html">ecdsa</a>.<a href="../ecdsa/index.html#PrivateKey">PrivateKey</a>, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParseECPrivateKey parses an ASN.1 Elliptic Curve Private Key Structure.</p>
<h2 id="ParsePKCS1PrivateKey">func <a href="http://localhost:6060/src/crypto/x509/pkcs1.go?s=945:1015#L29">ParsePKCS1PrivateKey</a></h2> <pre>func ParsePKCS1PrivateKey(der []<a href="../../builtin/index.html#byte">byte</a>) (key *<a href="../rsa/index.html">rsa</a>.<a href="../rsa/index.html#PrivateKey">PrivateKey</a>, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParsePKCS1PrivateKey returns an RSA private key from its ASN.1 PKCS#1 DER encoded form.</p>
<h2 id="ParsePKCS8PrivateKey">func <a href="http://localhost:6060/src/crypto/x509/pkcs8.go?s=626:692#L16">ParsePKCS8PrivateKey</a></h2> <pre>func ParsePKCS8PrivateKey(der []<a href="../../builtin/index.html#byte">byte</a>) (key interface{}, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParsePKCS8PrivateKey parses an unencrypted, PKCS#8 private key. See<a href="http://www.rsa.com/rsalabs/node.asp?id=2130">http://www.rsa.com/rsalabs/node.asp?id=2130</a> and RFC5208.</p>
<h2 id="ParsePKIXPublicKey">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=816:885#L29">ParsePKIXPublicKey</a></h2> <pre>func ParsePKIXPublicKey(derBytes []<a href="../../builtin/index.html#byte">byte</a>) (pub interface{}, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParsePKIXPublicKey parses a DER encoded public key. These values aretypically found in PEM blocks with "BEGIN PUBLIC KEY".</p>
<h2 id="CertPool">type <a href="http://localhost:6060/src/crypto/x509/cert_pool.go?s=240:361#L2">CertPool</a></h2> <pre>type CertPool struct { <span class="comment">// contains filtered or unexported fields</span>}</pre> <p>CertPool is a set of certificates.</p>
<h3 id="NewCertPool">func <a href="http://localhost:6060/src/crypto/x509/cert_pool.go?s=409:437#L9">NewCertPool</a></h3> <pre>func NewCertPool() *<a href="index.html#CertPool">CertPool</a></pre> <p>NewCertPool returns a new, empty CertPool.</p>
<h3 id="CertPool.AddCert">func (*CertPool) <a href="http://localhost:6060/src/crypto/x509/cert_pool.go?s=1329:1374#L46">AddCert</a></h3> <pre>func (s *<a href="index.html#CertPool">CertPool</a>) AddCert(cert *<a href="index.html#Certificate">Certificate</a>)</pre> <p>AddCert adds a certificate to a pool.</p>
<h3 id="CertPool.AppendCertsFromPEM">func (*CertPool) <a href="http://localhost:6060/src/crypto/x509/cert_pool.go?s=2159:2223#L75">AppendCertsFromPEM</a></h3> <pre>func (s *<a href="index.html#CertPool">CertPool</a>) AppendCertsFromPEM(pemCerts []<a href="../../builtin/index.html#byte">byte</a>) (ok <a href="../../builtin/index.html#bool">bool</a>)</pre> <p>AppendCertsFromPEM attempts to parse a series of PEM encoded certificates.It appends any certificates found to s and reports whether any certificateswere successfully parsed.</p><p>On many Linux systems, /etc/ssl/cert.pem will contain the system wide setof root CAs in a format suitable for this function.</p>
<h3 id="CertPool.Subjects">func (*CertPool) <a href="http://localhost:6060/src/crypto/x509/cert_pool.go?s=2650:2694#L100">Subjects</a></h3> <pre>func (s *<a href="index.html#CertPool">CertPool</a>) Subjects() (res [][]<a href="../../builtin/index.html#byte">byte</a>)</pre> <p>Subjects returns a list of the DER-encoded subjects ofall of the certificates in the pool.</p>
<h2 id="Certificate">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=15246:18151#L477">Certificate</a></h2> <pre>type Certificate struct { Raw []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// Complete ASN.1 DER content (certificate, signature algorithm and signature).</span> RawTBSCertificate []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// Certificate part of raw ASN.1 DER content.</span> RawSubjectPublicKeyInfo []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// DER encoded SubjectPublicKeyInfo.</span> RawSubject []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// DER encoded Subject</span> RawIssuer []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// DER encoded Issuer</span>
Signature []<a href="../../builtin/index.html#byte">byte</a> SignatureAlgorithm <a href="index.html#SignatureAlgorithm">SignatureAlgorithm</a>
PublicKeyAlgorithm <a href="index.html#PublicKeyAlgorithm">PublicKeyAlgorithm</a> PublicKey interface{}
Version <a href="../../builtin/index.html#int">int</a> SerialNumber *<a href="../../math/big/index.html">big</a>.<a href="../../math/big/index.html#Int">Int</a> Issuer <a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#Name">Name</a> Subject <a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#Name">Name</a> NotBefore, NotAfter <a href="../../time/index.html">time</a>.<a href="../../time/index.html#Time">Time</a> <span class="comment">// Validity bounds.</span> KeyUsage <a href="index.html#KeyUsage">KeyUsage</a>
<span class="comment">// Extensions contains raw X.509 extensions. When parsing certificates,</span> <span class="comment">// this can be used to extract non-critical extensions that are not</span> <span class="comment">// parsed by this package. When marshaling certificates, the Extensions</span> <span class="comment">// field is ignored, see ExtraExtensions.</span> Extensions []<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#Extension">Extension</a>
<span class="comment">// ExtraExtensions contains extensions to be copied, raw, into any</span> <span class="comment">// marshaled certificates. Values override any extensions that would</span> <span class="comment">// otherwise be produced based on the other fields. The ExtraExtensions</span> <span class="comment">// field is not populated when parsing certificates, see Extensions.</span> ExtraExtensions []<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#Extension">Extension</a>
<span class="comment">// UnhandledCriticalExtensions contains a list of extension IDs that</span> <span class="comment">// were not (fully) processed when parsing. Verify will fail if this</span> <span class="comment">// slice is non-empty, unless verification is delegated to an OS</span> <span class="comment">// library which understands all the critical extensions.</span> <span class="comment">//</span> <span class="comment">// Users can access these extensions using Extensions and can remove</span> <span class="comment">// elements from this slice if they believe that they have been</span> <span class="comment">// handled.</span> UnhandledCriticalExtensions []<a href="../../encoding/asn1/index.html">asn1</a>.<a href="../../encoding/asn1/index.html#ObjectIdentifier">ObjectIdentifier</a>
ExtKeyUsage []<a href="index.html#ExtKeyUsage">ExtKeyUsage</a> <span class="comment">// Sequence of extended key usages.</span> UnknownExtKeyUsage []<a href="../../encoding/asn1/index.html">asn1</a>.<a href="../../encoding/asn1/index.html#ObjectIdentifier">ObjectIdentifier</a> <span class="comment">// Encountered extended key usages unknown to this package.</span>
BasicConstraintsValid <a href="../../builtin/index.html#bool">bool</a> <span class="comment">// if true then the next two fields are valid.</span> IsCA <a href="../../builtin/index.html#bool">bool</a> MaxPathLen <a href="../../builtin/index.html#int">int</a> <span class="comment">// MaxPathLenZero indicates that BasicConstraintsValid==true and</span> <span class="comment">// MaxPathLen==0 should be interpreted as an actual maximum path length</span> <span class="comment">// of zero. Otherwise, that combination is interpreted as MaxPathLen</span> <span class="comment">// not being set.</span> MaxPathLenZero <a href="../../builtin/index.html#bool">bool</a>
SubjectKeyId []<a href="../../builtin/index.html#byte">byte</a> AuthorityKeyId []<a href="../../builtin/index.html#byte">byte</a>
<span class="comment">// RFC 5280, 4.2.2.1 (Authority Information Access)</span> OCSPServer []<a href="../../builtin/index.html#string">string</a> IssuingCertificateURL []<a href="../../builtin/index.html#string">string</a>
<span class="comment">// Subject Alternate Name values</span> DNSNames []<a href="../../builtin/index.html#string">string</a> EmailAddresses []<a href="../../builtin/index.html#string">string</a> IPAddresses []<a href="../../net/index.html">net</a>.<a href="../../net/index.html#IP">IP</a>
<span class="comment">// Name constraints</span> PermittedDNSDomainsCritical <a href="../../builtin/index.html#bool">bool</a> <span class="comment">// if true then the name constraints are marked critical.</span> PermittedDNSDomains []<a href="../../builtin/index.html#string">string</a>
<span class="comment">// CRL Distribution Points</span> CRLDistributionPoints []<a href="../../builtin/index.html#string">string</a>
PolicyIdentifiers []<a href="../../encoding/asn1/index.html">asn1</a>.<a href="../../encoding/asn1/index.html#ObjectIdentifier">ObjectIdentifier</a>}</pre> <p>A Certificate represents an X.509 certificate.</p>
<h3 id="ParseCertificate">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=38293:38353#L1175">ParseCertificate</a></h3> <pre>func ParseCertificate(asn1Data []<a href="../../builtin/index.html#byte">byte</a>) (*<a href="index.html#Certificate">Certificate</a>, <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParseCertificate parses a single certificate from the given ASN.1 DER data.</p>
<h3 id="Certificate.CheckCRLSignature">func (*Certificate) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=24688:24766#L724">CheckCRLSignature</a></h3> <pre>func (c *<a href="index.html#Certificate">Certificate</a>) CheckCRLSignature(crl *<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#CertificateList">CertificateList</a>) (err <a href="../../builtin/index.html#error">error</a>)</pre> <p>CheckCRLSignature checks that the signature in crl is from c.</p>
<h3 id="Certificate.CheckSignature">func (*Certificate) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=22530:22629#L656">CheckSignature</a></h3> <pre>func (c *<a href="index.html#Certificate">Certificate</a>) CheckSignature(algo <a href="index.html#SignatureAlgorithm">SignatureAlgorithm</a>, signed, signature []<a href="../../builtin/index.html#byte">byte</a>) (err <a href="../../builtin/index.html#error">error</a>)</pre> <p>CheckSignature verifies that signature is a valid signature over signed fromc's public key.</p>
<h3 id="Certificate.CheckSignatureFrom">func (*Certificate) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=21462:21535#L628">CheckSignatureFrom</a></h3> <pre>func (c *<a href="index.html#Certificate">Certificate</a>) CheckSignatureFrom(parent *<a href="index.html#Certificate">Certificate</a>) (err <a href="../../builtin/index.html#error">error</a>)</pre> <p>CheckSignatureFrom verifies that the signature on c is a valid signaturefrom parent.</p>
<h3 id="Certificate.CreateCRL">func (*Certificate) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=52453:52610#L1664">CreateCRL</a></h3> <pre>func (c *<a href="index.html#Certificate">Certificate</a>) CreateCRL(rand <a href="../../io/index.html">io</a>.<a href="../../io/index.html#Reader">Reader</a>, priv interface{}, revokedCerts []<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#RevokedCertificate">RevokedCertificate</a>, now, expiry <a href="../../time/index.html">time</a>.<a href="../../time/index.html#Time">Time</a>) (crlBytes []<a href="../../builtin/index.html#byte">byte</a>, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>CreateCRL returns a DER encoded CRL, signed by this Certificate, thatcontains the given list of revoked certificates.</p>
<h3 id="Certificate.Equal">func (*Certificate) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=18990:19042#L573">Equal</a></h3> <pre>func (c *<a href="index.html#Certificate">Certificate</a>) Equal(other *<a href="index.html#Certificate">Certificate</a>) <a href="../../builtin/index.html#bool">bool</a></pre> <h3 id="Certificate.Verify">func (*Certificate) <a href="http://localhost:6060/src/crypto/x509/verify.go?s=7315:7400#L207">Verify</a></h3> <pre>func (c *<a href="index.html#Certificate">Certificate</a>) Verify(opts <a href="index.html#VerifyOptions">VerifyOptions</a>) (chains [][]*<a href="index.html#Certificate">Certificate</a>, err <a href="../../builtin/index.html#error">error</a>)</pre> <p>Verify attempts to verify c by building one or more chains from c to acertificate in opts.Roots, using certificates in opts.Intermediates ifneeded. If successful, it returns one or more chains where the firstelement of the chain is c and the last element is from opts.Roots.</p><p>If opts.Roots is nil and system roots are unavailable the returned errorwill be of type SystemRootsError.</p><p>WARNING: this doesn't do any revocation checking.</p>
<div id="example_Certificate_Verify" class="toggle"> <div class="collapsed"> <p class="exampleHeading toggleButton">▹ <span class="text">Example</span></p> </div> <div class="expanded"> <p class="exampleHeading toggleButton">▾ <span class="text">Example</span></p> <p>Code:</p> <pre class="code"><span class="comment">// Verifying with a custom list of root certificates.</span>
const rootPEM = `-----BEGIN CERTIFICATE-----MIIEBDCCAuygAwIBAgIDAjppMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9iYWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTUwNDA0MTUxNTU1WjBJMQswCQYDVQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NPVaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtvh8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rEahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZEASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXCDTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB+zCB+DAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwOgYDVR0fBDMwMTAvoC2gK4YpaHR0cDovL2NybC5nZW90cnVzdC5jb20vY3Jscy9ndGdsb2JhbC5jcmwwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vZ3RnbG9iYWwtb2NzcC5nZW90cnVzdC5jb20wFwYDVR0gBBAwDjAMBgorBgEEAdZ5AgUBMA0GCSqGSIb3DQEBBQUAA4IBAQA21waAESetKhSbOHezI6B1WLuxfoNCunLaHtiONgaX4PCVOzf9G0JY/iLIa704XtE7JW4S615ndkZAkNoUyHgN7ZVm2o6Gb4ChulYylYbc3GrKBIxbf/a/zG+FA1jDaFETzf3I93k9mTXwVqO94FntT0QJo544evZG0R0SnU++0ED8Vf4GXjzaHFa9llF7b1cq26KqltyMdMKVvvBulRP/F/A8rLIQjcxz++iPAsbw+zOzlTvjwstoWHPbqCRiOwY1nQ2pM714A5AuTHhdUDqB1O6gyHA43LL5Z/qHQF1hwFGPa4NrzQU6yuGnBXj8ytqU0CwIPX4WecigUCAkVDNx-----END CERTIFICATE-----`
const certPEM = `-----BEGIN CERTIFICATE-----MIIDujCCAqKgAwIBAgIIE31FZVaPXTUwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UEBhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRlcm5ldCBBdXRob3JpdHkgRzIwHhcNMTQwMTI5MTMyNzQzWhcNMTQwNTI5MDAwMDAwWjBpMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEYMBYGA1UEAwwPbWFpbC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfRrObuSW5T7q5CnSEqefEmtH4CCv6+5EckuriNr1CjfVvqzwfAhopXkLrq45EQm8vkmf7W96XJhC7ZM0dYi1/qOCAU8wggFLMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAaBgNVHREEEzARgg9tYWlsLmdvb2dsZS5jb20wCwYDVR0PBAQDAgeAMGgGCCsGAQUFBwEBBFwwWjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDArBggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNVHQ4EFgQUiJxtimAuTfwb+aUtBn5UYKreKvMwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkCBQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAH6RYHxHdcGpMpFE3oxDoFnP+gtuBCHan2yE2GRbJ2Cw8Lw0MmuKqHlf9RSeYfd3BXeKkj1qO6TVKwCh+0HdZk283TZZyzmEOyclm3UGFYe82P/iDFt+CeQ3NpmBg+GoaVCuWAARJN/KfglbLyyYygcQq0SgeDh8dRKUiaW3HQSoYvTvdTuqzwK4CXsr3b5/dAOY8uMuG/IAR3FgwTbZ1dtoWRvOTa8hYiU6A475WuZKyEHcwnGYe57u2I2KbMgcKjPniocj4QzgYsVAVKW3IwaOhyE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==-----END CERTIFICATE-----`
<span class="comment">// First, create the set of root certificates. For this example we only</span><span class="comment">// have one. It's also possible to omit this in order to use the</span><span class="comment">// default root set of the current operating system.</span>roots := x509.NewCertPool()ok := roots.AppendCertsFromPEM([]byte(rootPEM))if !ok { panic("failed to parse root certificate")}
block, _ := pem.Decode([]byte(certPEM))if block == nil { panic("failed to parse certificate PEM")}cert, err := x509.ParseCertificate(block.Bytes)if err != nil { panic("failed to parse certificate: " + err.Error())}
opts := x509.VerifyOptions{ DNSName: "mail.google.com", Roots: roots,}
if _, err := cert.Verify(opts); err != nil { panic("failed to verify certificate: " + err.Error())}</pre> </div></div>
<h3 id="Certificate.VerifyHostname">func (*Certificate) <a href="http://localhost:6060/src/crypto/x509/verify.go?s=12003:12055#L398">VerifyHostname</a></h3> <pre>func (c *<a href="index.html#Certificate">Certificate</a>) VerifyHostname(h <a href="../../builtin/index.html#string">string</a>) <a href="../../builtin/index.html#error">error</a></pre> <p>VerifyHostname returns nil if c is a valid certificate for the named host.Otherwise it returns an error describing the mismatch.</p>
<h2 id="CertificateInvalidError">type <a href="http://localhost:6060/src/crypto/x509/verify.go?s=1130:1212#L30">CertificateInvalidError</a></h2> <pre>type CertificateInvalidError struct { Cert *<a href="index.html#Certificate">Certificate</a> Reason <a href="index.html#InvalidReason">InvalidReason</a>}</pre> <p>CertificateInvalidError results when an odd error occurs. Users of thislibrary probably want to handle all these errors uniformly.</p>
<h3 id="CertificateInvalidError.Error">func (CertificateInvalidError) <a href="http://localhost:6060/src/crypto/x509/verify.go?s=1214:1261#L35">Error</a></h3> <pre>func (e <a href="index.html#CertificateInvalidError">CertificateInvalidError</a>) Error() <a href="../../builtin/index.html#string">string</a></pre> <h2 id="CertificateRequest">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=53971:55284#L1718">CertificateRequest</a></h2> <pre>type CertificateRequest struct { Raw []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// Complete ASN.1 DER content (CSR, signature algorithm and signature).</span> RawTBSCertificateRequest []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// Certificate request info part of raw ASN.1 DER content.</span> RawSubjectPublicKeyInfo []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// DER encoded SubjectPublicKeyInfo.</span> RawSubject []<a href="../../builtin/index.html#byte">byte</a> <span class="comment">// DER encoded Subject.</span>
Version <a href="../../builtin/index.html#int">int</a> Signature []<a href="../../builtin/index.html#byte">byte</a> SignatureAlgorithm <a href="index.html#SignatureAlgorithm">SignatureAlgorithm</a>
PublicKeyAlgorithm <a href="index.html#PublicKeyAlgorithm">PublicKeyAlgorithm</a> PublicKey interface{}
Subject <a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#Name">Name</a>
<span class="comment">// Attributes is the dried husk of a bug and shouldn't be used.</span> Attributes []<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#AttributeTypeAndValueSET">AttributeTypeAndValueSET</a>
<span class="comment">// Extensions contains raw X.509 extensions. When parsing CSRs, this</span> <span class="comment">// can be used to extract extensions that are not parsed by this</span> <span class="comment">// package.</span> Extensions []<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#Extension">Extension</a>
<span class="comment">// ExtraExtensions contains extensions to be copied, raw, into any</span> <span class="comment">// marshaled CSR. Values override any extensions that would otherwise</span> <span class="comment">// be produced based on the other fields but are overridden by any</span> <span class="comment">// extensions specified in Attributes.</span> <span class="comment">//</span> <span class="comment">// The ExtraExtensions field is not populated when parsing CSRs, see</span> <span class="comment">// Extensions.</span> ExtraExtensions []<a href="pkix/index.html">pkix</a>.<a href="pkix/index.html#Extension">Extension</a>
<span class="comment">// Subject Alternate Name values.</span> DNSNames []<a href="../../builtin/index.html#string">string</a> EmailAddresses []<a href="../../builtin/index.html#string">string</a> IPAddresses []<a href="../../net/index.html">net</a>.<a href="../../net/index.html#IP">IP</a>}</pre> <p>CertificateRequest represents a PKCS #10, certificate signature request.</p>
<h3 id="ParseCertificateRequest">func <a href="http://localhost:6060/src/crypto/x509/x509.go?s=62307:62381#L1998">ParseCertificateRequest</a></h3> <pre>func ParseCertificateRequest(asn1Data []<a href="../../builtin/index.html#byte">byte</a>) (*<a href="index.html#CertificateRequest">CertificateRequest</a>, <a href="../../builtin/index.html#error">error</a>)</pre> <p>ParseCertificateRequest parses a single certificate request from thegiven ASN.1 DER data.</p>
<h3 id="CertificateRequest.CheckSignature">func (*CertificateRequest) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=64088:64145#L2059">CheckSignature</a></h3> <pre>func (c *<a href="index.html#CertificateRequest">CertificateRequest</a>) CheckSignature() (err <a href="../../builtin/index.html#error">error</a>)</pre> <p>CheckSignature verifies that the signature on c is a valid signature</p>
<h2 id="ConstraintViolationError">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=18807:18845#L567">ConstraintViolationError</a></h2> <pre>type ConstraintViolationError struct{}</pre> <p>ConstraintViolationError results when a requested usage is not permitted bya certificate. For example: checking a signature when the public key isn't acertificate signing key.</p>
<h3 id="ConstraintViolationError.Error">func (ConstraintViolationError) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=18847:18893#L569">Error</a></h3> <pre>func (<a href="index.html#ConstraintViolationError">ConstraintViolationError</a>) Error() <a href="../../builtin/index.html#string">string</a></pre> <h2 id="ExtKeyUsage">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=13566:13586#L422">ExtKeyUsage</a></h2> <pre>type ExtKeyUsage <a href="../../builtin/index.html#int">int</a></pre> <p>ExtKeyUsage represents an extended set of actions that are valid for a given key.Each of the ExtKeyUsage* constants define a unique action.</p>
<pre>const ( <span id="ExtKeyUsageAny">ExtKeyUsageAny</span> <a href="index.html#ExtKeyUsage">ExtKeyUsage</a> = <a href="../../builtin/index.html#iota">iota</a> <span id="ExtKeyUsageServerAuth">ExtKeyUsageServerAuth</span> <span id="ExtKeyUsageClientAuth">ExtKeyUsageClientAuth</span> <span id="ExtKeyUsageCodeSigning">ExtKeyUsageCodeSigning</span> <span id="ExtKeyUsageEmailProtection">ExtKeyUsageEmailProtection</span> <span id="ExtKeyUsageIPSECEndSystem">ExtKeyUsageIPSECEndSystem</span> <span id="ExtKeyUsageIPSECTunnel">ExtKeyUsageIPSECTunnel</span> <span id="ExtKeyUsageIPSECUser">ExtKeyUsageIPSECUser</span> <span id="ExtKeyUsageTimeStamping">ExtKeyUsageTimeStamping</span> <span id="ExtKeyUsageOCSPSigning">ExtKeyUsageOCSPSigning</span> <span id="ExtKeyUsageMicrosoftServerGatedCrypto">ExtKeyUsageMicrosoftServerGatedCrypto</span> <span id="ExtKeyUsageNetscapeServerGatedCrypto">ExtKeyUsageNetscapeServerGatedCrypto</span>)</pre>
<h2 id="HostnameError">type <a href="http://localhost:6060/src/crypto/x509/verify.go?s=1903:1978#L53">HostnameError</a></h2> <pre>type HostnameError struct { Certificate *<a href="index.html#Certificate">Certificate</a> Host <a href="../../builtin/index.html#string">string</a>}</pre> <p>HostnameError results when the set of authorized names doesn't match therequested name.</p>
<h3 id="HostnameError.Error">func (HostnameError) <a href="http://localhost:6060/src/crypto/x509/verify.go?s=1980:2017#L58">Error</a></h3> <pre>func (h <a href="index.html#HostnameError">HostnameError</a>) Error() <a href="../../builtin/index.html#string">string</a></pre> <h2 id="InsecureAlgorithmError">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=18421:18467#L558">InsecureAlgorithmError</a></h2> <pre>type InsecureAlgorithmError <a href="index.html#SignatureAlgorithm">SignatureAlgorithm</a></pre> <p>An InsecureAlgorithmError</p>
<h3 id="InsecureAlgorithmError.Error">func (InsecureAlgorithmError) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=18469:18515#L560">Error</a></h3> <pre>func (e <a href="index.html#InsecureAlgorithmError">InsecureAlgorithmError</a>) Error() <a href="../../builtin/index.html#string">string</a></pre> <h2 id="InvalidReason">type <a href="http://localhost:6060/src/crypto/x509/verify.go?s=256:278#L7">InvalidReason</a></h2> <pre>type InvalidReason <a href="../../builtin/index.html#int">int</a></pre>
<pre>const ( <span class="comment">// NotAuthorizedToSign results when a certificate is signed by another</span> <span class="comment">// which isn't marked as a CA certificate.</span> <span id="NotAuthorizedToSign">NotAuthorizedToSign</span> <a href="index.html#InvalidReason">InvalidReason</a> = <a href="../../builtin/index.html#iota">iota</a> <span class="comment">// Expired results when a certificate has expired, based on the time</span> <span class="comment">// given in the VerifyOptions.</span> <span id="Expired">Expired</span> <span class="comment">// CANotAuthorizedForThisName results when an intermediate or root</span> <span class="comment">// certificate has a name constraint which doesn't include the name</span> <span class="comment">// being checked.</span> <span id="CANotAuthorizedForThisName">CANotAuthorizedForThisName</span> <span class="comment">// TooManyIntermediates results when a path length constraint is</span> <span class="comment">// violated.</span> <span id="TooManyIntermediates">TooManyIntermediates</span> <span class="comment">// IncompatibleUsage results when the certificate's key usage indicates</span> <span class="comment">// that it may only be used for a different purpose.</span> <span id="IncompatibleUsage">IncompatibleUsage</span>)</pre>
<h2 id="KeyUsage">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=11479:11496#L379">KeyUsage</a></h2> <pre>type KeyUsage <a href="../../builtin/index.html#int">int</a></pre> <p>KeyUsage represents the set of actions that are valid for a given key. It'sa bitmap of the KeyUsage* constants.</p>
<pre>const ( <span id="KeyUsageDigitalSignature">KeyUsageDigitalSignature</span> <a href="index.html#KeyUsage">KeyUsage</a> = 1 << <a href="../../builtin/index.html#iota">iota</a> <span id="KeyUsageContentCommitment">KeyUsageContentCommitment</span> <span id="KeyUsageKeyEncipherment">KeyUsageKeyEncipherment</span> <span id="KeyUsageDataEncipherment">KeyUsageDataEncipherment</span> <span id="KeyUsageKeyAgreement">KeyUsageKeyAgreement</span> <span id="KeyUsageCertSign">KeyUsageCertSign</span> <span id="KeyUsageCRLSign">KeyUsageCRLSign</span> <span id="KeyUsageEncipherOnly">KeyUsageEncipherOnly</span> <span id="KeyUsageDecipherOnly">KeyUsageDecipherOnly</span>)</pre>
<h2 id="PEMCipher">type <a href="http://localhost:6060/src/crypto/x509/pem_decrypt.go?s=472:490#L13">PEMCipher</a></h2> <pre>type PEMCipher <a href="../../builtin/index.html#int">int</a></pre>
<pre>const ( <span id="PEMCipherDES">PEMCipherDES</span> <a href="index.html#PEMCipher">PEMCipher</a> <span id="PEMCipher3DES">PEMCipher3DES</span> <span id="PEMCipherAES128">PEMCipherAES128</span> <span id="PEMCipherAES192">PEMCipherAES192</span> <span id="PEMCipherAES256">PEMCipherAES256</span>)</pre> <p>Possible values for the EncryptPEMBlock encryption algorithm.</p>
<h2 id="PublicKeyAlgorithm">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=5065:5092#L190">PublicKeyAlgorithm</a></h2> <pre>type PublicKeyAlgorithm <a href="../../builtin/index.html#int">int</a></pre>
<pre>const ( <span id="UnknownPublicKeyAlgorithm">UnknownPublicKeyAlgorithm</span> <a href="index.html#PublicKeyAlgorithm">PublicKeyAlgorithm</a> = <a href="../../builtin/index.html#iota">iota</a> <span id="RSA">RSA</span> <span id="DSA">DSA</span> <span id="ECDSA">ECDSA</span>)</pre>
<h2 id="SignatureAlgorithm">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=4230:4257#L150">SignatureAlgorithm</a></h2> <pre>type SignatureAlgorithm <a href="../../builtin/index.html#int">int</a></pre>
<pre>const ( <span id="UnknownSignatureAlgorithm">UnknownSignatureAlgorithm</span> <a href="index.html#SignatureAlgorithm">SignatureAlgorithm</a> = <a href="../../builtin/index.html#iota">iota</a> <span id="MD2WithRSA">MD2WithRSA</span> <span id="MD5WithRSA">MD5WithRSA</span> <span id="SHA1WithRSA">SHA1WithRSA</span> <span id="SHA256WithRSA">SHA256WithRSA</span> <span id="SHA384WithRSA">SHA384WithRSA</span> <span id="SHA512WithRSA">SHA512WithRSA</span> <span id="DSAWithSHA1">DSAWithSHA1</span> <span id="DSAWithSHA256">DSAWithSHA256</span> <span id="ECDSAWithSHA1">ECDSAWithSHA1</span> <span id="ECDSAWithSHA256">ECDSAWithSHA256</span> <span id="ECDSAWithSHA384">ECDSAWithSHA384</span> <span id="ECDSAWithSHA512">ECDSAWithSHA512</span>)</pre>
<h3 id="SignatureAlgorithm.String">func (SignatureAlgorithm) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=4910:4956#L183">String</a></h3> <pre>func (algo <a href="index.html#SignatureAlgorithm">SignatureAlgorithm</a>) String() <a href="../../builtin/index.html#string">string</a></pre> <h2 id="SystemRootsError">type <a href="http://localhost:6060/src/crypto/x509/verify.go?s=3548:3578#L110">SystemRootsError</a></h2> <pre>type SystemRootsError struct{}</pre> <p>SystemRootsError results when we fail to load the system root certificates.</p>
<h3 id="SystemRootsError.Error">func (SystemRootsError) <a href="http://localhost:6060/src/crypto/x509/verify.go?s=3580:3618#L112">Error</a></h3> <pre>func (<a href="index.html#SystemRootsError">SystemRootsError</a>) Error() <a href="../../builtin/index.html#string">string</a></pre> <h2 id="UnhandledCriticalExtension">type <a href="http://localhost:6060/src/crypto/x509/x509.go?s=24929:24969#L729">UnhandledCriticalExtension</a></h2> <pre>type UnhandledCriticalExtension struct{}</pre>
<h3 id="UnhandledCriticalExtension.Error">func (UnhandledCriticalExtension) <a href="http://localhost:6060/src/crypto/x509/x509.go?s=24971:25021#L731">Error</a></h3> <pre>func (h <a href="index.html#UnhandledCriticalExtension">UnhandledCriticalExtension</a>) Error() <a href="../../builtin/index.html#string">string</a></pre> <h2 id="UnknownAuthorityError">type <a href="http://localhost:6060/src/crypto/x509/verify.go?s=2658:2962#L84">UnknownAuthorityError</a></h2> <pre>type UnknownAuthorityError struct { <span class="comment">// contains filtered or unexported fields</span>}</pre> <p>UnknownAuthorityError results when the certificate issuer is unknown</p>
<h3 id="UnknownAuthorityError.Error">func (UnknownAuthorityError) <a href="http://localhost:6060/src/crypto/x509/verify.go?s=2964:3009#L94">Error</a></h3> <pre>func (e <a href="index.html#UnknownAuthorityError">UnknownAuthorityError</a>) Error() <a href="../../builtin/index.html#string">string</a></pre> <h2 id="VerifyOptions">type <a href="http://localhost:6060/src/crypto/x509/verify.go?s=4072:4585#L122">VerifyOptions</a></h2> <pre>type VerifyOptions struct { DNSName <a href="../../builtin/index.html#string">string</a> Intermediates *<a href="index.html#CertPool">CertPool</a> Roots *<a href="index.html#CertPool">CertPool</a> <span class="comment">// if nil, the system roots are used</span> CurrentTime <a href="../../time/index.html">time</a>.<a href="../../time/index.html#Time">Time</a> <span class="comment">// if zero, the current time is used</span> <span class="comment">// KeyUsage specifies which Extended Key Usage values are acceptable.</span> <span class="comment">// An empty list means ExtKeyUsageServerAuth. Key usage is considered a</span> <span class="comment">// constraint down the chain which mirrors Windows CryptoAPI behaviour,</span> <span class="comment">// but not the spec. To accept any key usage, include ExtKeyUsageAny.</span> KeyUsages []<a href="index.html#ExtKeyUsage">ExtKeyUsage</a>}</pre> <p>VerifyOptions contains parameters for Certificate.Verify. It's a structurebecause other PKIX verification APIs have ended up needing many options.</p>
<h2 id="pkg-subdirectories">Subdirectories</h2>
<div class="pkg-dir"> <table> <tr> <th class="pkg-name">Name</th> <th class="pkg-synopsis">Synopsis</th> </tr>
<tr> <td colspan="2"><a href="../index.html">..</a></td> </tr>
<tr> <td class="pkg-name" style="padding-left: 0px;"> <a href="pkix/index.html">pkix</a> </td> <td class="pkg-synopsis"> Package pkix contains shared, low level structures used for ASN.1 parsing and serialization of X.509 certificates, CRL and OCSP. </td> </tr> </table> </div>
<div id="footer">Build version go1.6.<br>Except as <a href="https://developers.google.com/site-policies#restrictions">noted</a>,the content of this page is licensed under theCreative Commons Attribution 3.0 License,and code is licensed under a <a href="http://localhost:6060/LICENSE">BSD license</a>.<br><a href="http://localhost:6060/doc/tos.html">Terms of Service</a> | <a href="http://www.google.com/intl/en/policies/privacy/">Privacy Policy</a></div>
</div><!-- .container --></div><!-- #page -->
<!-- TODO(adonovan): load these from <head> using "defer" attribute? --><script type="text/javascript" src="../../../lib/godoc/jquery.js"></script><script type="text/javascript" src="../../../lib/godoc/jquery.treeview.js"></script><script type="text/javascript" src="../../../lib/godoc/jquery.treeview.edit.js"></script>
<script type="text/javascript" src="../../../lib/godoc/godocs.js"></script>
</body></html>
|
